Security Experts See Coincidental Timing After Leak of Scraped Instagram User Data
Social media mainstay Instagram said hackers didn’t breach its systems even amid a massive wave of password reset emails sent by its own systems to users traced to malicious activity.
See Also: On-Demand | NYDFS MFA Compliance: Real-World Solutions for Financial Institutions
Users on Thursday and Friday reported receiving emails from security@mail.instagram.com, sometimes dozens a day, stating that “we got a request to reset your Instagram password.” The emails stated that if the recipient didn’t initiate the activity, “you can ignore this message.”
Cybersecurity firm Malwarebytes tied the emails to criminals wielding stolen email addresses to abuse of Instagram’s password-reset feature.
“Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses and more,” Malwarebytes said in a Saturday post to social platform X.
Instagram, part of Meta Platforms, confirmed the incident and said it’s now locked down the spammed password-reset functionality.
“We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure,” Instagram said in a late Saturday post to X.
“You can ignore those emails – sorry for any confusion,” it said.
Failing to prevent the abuse of security functionality such as password resets carries a cost, said Javvad Malik, lead security awareness advocate at human risk management firm KnowBe4. “If an attacker can reliably trigger resets, they can manufacture panic, drive fatigue and nudge people into unsafe behavior,” he said.
The mass password-reset messages followed a massive set of Instagram user data leaked Wednesday to a cybercrime forum by a threat actor using the handle “Solonik,” who described it as comprising “17M Global Users – 2024 Leak,” harvested using an unspecified API.
“Solonik has been highly active in recent days, releasing multiple large-scale data dumps,” cybersecurity firm Kela told Information Security Media Group.
Kela said that the leaked Instagram data isn’t from 2024, as claimed by Solonik. In a case of what appears to be the “deliberate rebranding of stale data as new,” it’s identical to a set of data first shared to a darkweb forum on May 20, 2022, by a user with the handle “Calssara,” and later leaked by a user with the handle “vanz” to BreachForums in June 2023, it said.
While old, the data does appear to be legitimate. Free breach notification service Have I Been Pwned said the Instagram dataset contains 17 million rows “of public Instagram information, including usernames, display names, account IDs and in some cases, geolocation data,” with 6.2 million of the records including an email address for the account, and in some cases also a phone number. The dataset contains no passwords.
Anyone with an exposed email address who’s signed up for Have I Been Pwned will be directly notified about the breach by the service, through that email address.
The timing of the mass-password-reset attack and leak of data appears to be coincidental. “The scraped data appears to be unrelated to password reset requests initiated on the platform, despite coinciding in timeframe. There is no evidence that passwords or other sensitive data were compromised,” Have I Been Pwned said.
Multiple security researchers questioned if the mass password reset attack may have used email addresses that one or more illicit data brokers scraped using Instagram’s API, in 2022, and which were leaked in 2023.
Another mass scraping incident may have occurred in November 2024, when an account with the handle “YoursData” posted for sale to a cybercrime forum user data “freshly scraped” from Instagram over a three-month period, reported cybersecurity firm DarkEye. The YoursData listing said scraped data comprised 489 million lines and included both public and hidden details, usernames, full names and email addresses.
Meta said it wasn’t aware of any such scraping attacks in either 2022 or 2024.
One possibility is that the data originates from a third-party service that integrates with Instagram.
Regardless, “the dataset circulating online poses a real risk to users through targeted phishing and social engineering,” Kela said, and warned users to beware “Instagram- or Meta-themed scams.”
Because the leaked data doesn’t include Instagram users’ passwords, they need not be changed. But security experts advised all Instagram users to ensure they’ve activated multifactor authentication. MFA would prevent attackers from being able to use the stolen passwords to immediately log into their account (see: Missing MFA Strikes Again: Hacker Hits Collaboration Tools).